fixes #3140 (RFC 9266: Channel Bindings for TLS 1.3 support)

2 files changed, 17 insertions, 2 deletions

diff --git a/src/mir_app/src/mir_app.def b/src/mir_app/src/mir_app.def
index 34764c676a..f49cd58964 100644
--- a/src/mir_app/src/mir_app.def
+++ b/src/mir_app/src/mir_app.def
@@ -735,7 +735,7 @@ Chat_CreateMenu @824 NONAME
 ?OnEventEdited@PROTO_INTERFACE@@UAEXII@Z @828 NONAME

 ?GetChecker@MDatabaseCommon@@UAGPAUMIDatabaseChecker@@XZ @829 NONAME

 ?GetMenuItem@PROTO_INTERFACE@@QAEPAUTMO_IntMenuItem@@W4ProtoMenuItemType@@@Z @830 NONAME

-_Netlib_GetTlsUnique@8 @831 NONAME

+_Netlib_GetTlsUnique@12 @831 NONAME

 ?IsDirect@PU@@YG_NXZ @832 NONAME

 ?IsProcessElevated@PU@@YG_NXZ @833 NONAME

 ?PrepareEscalation@PU@@YG_NXZ @834 NONAME

diff --git a/src/mir_app/src/netlib_ssl.cpp b/src/mir_app/src/netlib_ssl.cpp
index 3874d978f4..3bf4c2afa3 100644
--- a/src/mir_app/src/netlib_ssl.cpp
+++ b/src/mir_app/src/netlib_ssl.cpp
@@ -380,16 +380,31 @@ MIR_APP_DLL(int) Netlib_StartSsl(HNETLIBCONN hConnection, const char *szHost)
 /////////////////////////////////////////////////////////////////////////////////////////
 // gets TLS channel binging data for a socket
 
-MIR_APP_DLL(void*) Netlib_GetTlsUnique(HNETLIBCONN nlc, int &cbLen)
+static char TLS13_Label[] = "EXPORTER-Channel-Binding";
+
+MIR_APP_DLL(void*) Netlib_GetTlsUnique(HNETLIBCONN nlc, int &cbLen, int &tlsVer)
 {
 	if (nlc == nullptr || nlc->hSsl == nullptr)
 		return nullptr;
 
 	char buf[1000];
+	auto *pszVersion = SSL_get_version(nlc->hSsl->session);
+	if (!mir_strcmp(pszVersion, "TLSv1.3")) {
+		int res = SSL_export_keying_material(nlc->hSsl->session,
+			(uint8_t *)buf, 32, TLS13_Label, sizeof(TLS13_Label) - 1, 0, 0, 0);
+		if (res == 1) {
+			tlsVer = 13;
+			void *pBuf = mir_alloc(cbLen = 32);
+			memcpy(pBuf, buf, cbLen);
+			return pBuf;
+		}
+	}
+
 	size_t len = SSL_get_finished(nlc->hSsl->session, buf, sizeof(buf));
 	if (len == 0)
 		return nullptr;
 
+	tlsVer = 12;
 	cbLen = (int)len;
 	void *pBuf = mir_alloc(len);
 	memcpy(pBuf, buf, len);